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ABSTRACT 


This  report  provides  a  summary  of  initial  results  of  a  projeet  investigating  solutions  to  problems  in 
flowing  valued  information  among  eoalition  partners.  The  researeh  objeetives  of  the  Flowing  Valued 
Information  projeet  inelude:  (1)  improving  our  eapability  to  enable  automated  understanding  of  eommand 
intent  and  (2)  improving  our  eapability  to  provide  automated  support  of  a  eommand  deeision  to  share 
information.  Initial  investigations  have  indieated  a  need  to  extend  the  mathematieal  foundations  provided 
by  D.  Elliott  Bell  and  Leonard  J.  La  Padula  whieh  applied  early  system  theory  to  enable  building  formal 
systems  for  proving  seeurity  results  for  distributed  eomputing  systems. 

Our  extensions  are  in  two  areas:  (1)  we  diseuss  applieation  of  eurrent  system  theory  results  in  modeling 
eompositions  of  eontinuous  and  diserete  systems,  and  (2)  we  diseuss  mathematieal  foundations  for  adding 
support  for  a  eommander’s  deeision  to  share  information.  The  motivation  for  the  extensions  is  grounded 
in  two  eontinuing  shortfalls  in  seienee  and  teehnology  available  for  deeision  support:  (1)  the  inability  of 
eurrent  system  models  to  prediet  future  state  of  eomplex  systems  and  (2)  the  eontinued  diffieulty  in 
enabling  automated  support  for  a  eommander’s  deeision  to  share  information  in  order  to  meet  mission 
requirements.  We  believe  that  useful  extensions  are  aehievable  for  building  more  aeeurate  models  of 
eomplex  system  interaetions  for  small  unit  operations  sinee  general  system  theory  has  advaneed  sinee  the 
work  of  Bell  and  La  Padula  and  we  believe  that  explieit  extensions  for  sharing  information  are  needed 
(and  possible)  for  information  whieh  needs  to  be  shared  while  simultaneously  proteeting  information 
whieh  must  remain  proteeted. 

Many  of  the  available  solutions  for  sharing  information  have  sueeessfully  ereated  multi-level  seeure 
systems  (networks  of  systems)  whieh  follow  aeeess  eontrol  rules  (many  based  on  the  Bell-La  Padula 
seeurity  model)  in  whieh  aeeess  to  information  is  granted  to  a  given  level  of  elassified  information  onee 
eonfirmation  is  aehieved  that  a  given  subjeet  has  the  required  elearanee  (mandatory  aeeess  eontrol). 
However,  the  eurrent  implementation  of  mandatory  aeeess  eontrols  and  role-based  aeeess  eontrols  does 
not  support  mission  sueeess  for  those  missions  that  require  sharing  information  on  an  ad  hoe  basis, 
espeeially  at  the  lowest  taetieal  level  for  operations  whieh  require  soeial  and  eultural  awareness  of  loeal 
populations  and  non-government  ageneies  as  well  as  loeal  support  in  aehieving  mission  sueeess.  Thus, 
there  is  a  need  to  explieitly  enable  eategories  of  information  whieh  ean  be  be  labeled  “need-to-share”. 

We  note  that  similar  needs  are  present  in  eommereial  systems  where  proprietary  information  needs  to  be 
proteeted  while  marketing  information  needs  to  be  shared.  As  in  the  ease  of  the  early  work  by  Bell  and  La 
Padula,  we  begin  with  an  introduetory  seetion  to  bridge  the  gap  between  systems  theory  and  praetieal 
problem  solving. 

We  then  extend  the  Bell-La  Padula  model  to  inelude  eontinuous  and  diserete  system  states  as  is  done  for 
eurrent  general  system  theory  for  eontrol  of  eomplex,  distributed  systems.  We  also  extend  the  Bell-La 
Padula  definitions  for  "seeurity"  and  "eompromise"  to  inelude  a  definition  of  a  “need-to-share”  and  a 
“failure  to  share”.  A  basie  result  eoneerning  seeurity  in  eomputer  systems,  using  the  preeise  notions  for 
"seeurity",  "eompromise",  “sharing”,  “need-to-know”,  and  “need-to-share”  is  then  given. 

Finally,  we  demonstrate  via  a  platoon-level  seenario  why  eompositions  of  eontinuous  and  diserete 
(hybrid)  systems  models  are  needed  to  reason  about  eommand  intent  and  why  implementation  of  a  “need- 
to-share”  information  is  needed  to  help  aehieve  eommand  intent. 
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PREFACE 


The  early  paper  by  Bell  and  La  Padula  applied  general  systems  theory  available  at  that  time.  Sinee  then, 
system  theory  has  been  extended  to  inelude  not  only  the  diserete-valued  finite  state  systems  eonsidered  by 
Bell  and  La  Padula  but  also  eompositions  of  eontinuous  and  diserete  systems.  A  eentral  argument  of  our 
projeet  is  that  building  seeure  systems  today  requires  an  underlying  modeling  framework  whieh  supports 
both  formal  logieal  analysis  of  the  eurrent  and  future  state  of  the  system  under  diseussion  as  well  as 
predietive  analysis  of  analytieal  eomponents  whieh  must  obey  the  laws  of  physies.  Sinee  modeling  large 
networks  of  interaeting,  eomplex  systems  is  not  feasible,  the  issue  at  hand  in  our  investigations  is  to 
model  enough  of  the  eontinuous  dynamies  to  eapture  physies  of  interest  while  maintaining  the  ability  to 
reason  about  the  logieal  state  of  the  system  (the  set  of  diserete  eomponents).  Thus,  analysis  of  seeure 
eomputer  systems  for  eurrent  and  future  military  operations  (net-eentrie  or  net-enabled  operations) 
requires  a  framework  whieh  admits  eomposition  of  diserete  and  eontinuous  systems.  This  argument  is 
not  new  in  general  system  seienee.  Indeed,  for  several  years  every  student  majoring  in  either  eleetrieal 
engineering  or  eomputer  seienee  at  the  University  of  California  at  Berkeley  has  taken  a  eourse  whieh 
requires  eonsidering  systems  as  eompositions  of  eontinuous  and  diserete  eomponents  (Lee  &  Varaiya, 
2000). 

The  extensions  to  the  Bell  and  La  Padula  model  reported  in  this  paper  lay  the  groundwork  for:  (1) 
building  more  aeeurate  models  of  the  eomplex  operational  environments  of  today  and  tomorrow,  and  (2) 
providing  automation  support  for  a  eommander’s  deeision  to  share  information  while  simultaneously 
maintaining  the  seeurity  of  information  whieh  must  not  be  eompromised.  Indeed,  eoneerning  the  issue  of 
sharing  information,  we  take  the  position  that  at  least  one  eategory  of  data,  metadata,  should  be  shared 
eontinuously  with  everyone,  all  of  the  time,  and  in  every  area  (e.g.  information  metadata  for  all  eategories 
of  information  should  be  shared  with  all  eategories  of  users). 
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SECTION  I  INTRODUCTION 


General  Systems 

As  indicated  in  the  abstract,  general  system  theory  has  advanced  considerably  since  the  very  capable 
summary  of  the  subject  was  provided  by  Bell  and  La  Padula  over  35  years  ago  (Bell  &  LaPadula,  1973). 
The  discussion  below  concerning  creating  a  general  system  model  for  complex  systems  follows  the 
development  of  the  text  used  by  Professors  Edward  Lee  and  Pravin  Varaiya  for  educational  programs  for 
electrical  engineers  and  computer  scientists  (Lee  &  Varaiya,  2000).  The  primary  distinction  to  be 
discussed  is  that  while  Bell  and  La  Padula  considered  a  system  in  its  most  general  form  to  be  a  relation 
on  abstract  sets,  the  modern  system  theorists  add  consideration  of  continuous  systems  as  well  as 
compositions  of  discrete,  set-based,  systems  and  continuous  systems.  Functional  concepts  of  a  mapping 
from  one  state  space  (the  domain)  to  another  (the  range)  remain  the  same.  That  is,  while  Bell  La  Padula 

considered  the  expression  5  E  x  7  where  the  system  S  is  a  relation  on  the  abstract  sets  X  and  Y, 
Lee  and  Varaiya  (and  others)  consider  the  general  system  S  to  have  elements  which  are  members  of 
abstract  sets  and  also  elements  which  are  members  of  general  functional  spaces  (Lee  &  Varaiya,  2002). 

Systems  Modeling 

General  systems  theory  has  been  a  very  valuable  tool  for  advancing  our  understanding  of  complex 
systems.  Unfortunately  however,  the  science  of  systems  modeling  still  lags  the  complexity  of  large-scale 
networks  of  systems  of  interest  (e.g.  power  generation  and  distribution  networks,  telecommunications 
networks,  and  economic  networks)  in  the  sense  of  being  unable  to  predict  future  behaviors  of  networks 
of  systems  (BAST,  Board  on  Army  Science  and  Technology,  2005).  For  purposes  of  this  paper,  we  restrict 
the  complexity  of  systems  under  consideration  to  those  whose  behaviors  can  be  modeled  by  current 
systems  theory.  The  practical  application  of  the  theory  to  real-world  problems  for  any  given  system  then 
depends  upon  the  predictions  of  future  system  state  available  from  the  model  being  "close  enough"  to 
the  actual  future  states  of  the  system  of  interest. 

For  purposes  of  this  paper,  we  are  interested  in  (1)  extending  the  models  of  the  systems  being  analyzed 
to  include  what  are  described  today  as  "complex  systems"  and  (2)  extending  the  existing  Bell-La  Padula 
model  for  defining  a  failure  to  secure  information  (a  security  compromise)  to  include  defining  a  failure 
to  share  information  (a  sharing  compromise). 

Following  the  development  in  the  original  Bell  and  La  Padula  paper,  we  assume  a  system,  S,  to  be 
adequately  approximated  as  an  input-output  relation.  That  is,  we  consider  the  behaviors  of  S  to  be 
represented  as: 


5  E  7  X  JY 

where  S  is  a  function  from  V  to  X  (S:  V  “*  X),  and  it  is  natural  to  consider  S  to  be  a  functional  system.  In 
this  case,  it  is  convenient  to  consider  the  elements  of  V  to  be  inputs  and  the  elements  of  X  to  be  outputs 
(the  state  of  the  system)  so  that  S  expresses  a  functional  input-output  relationship.  However,  while  Bell 
and  La  Padula  assumed  that  V  and  X  are  members  of  abstract  sets,  capturing  the  complexity  of 
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networked  systems  of  interest  requires  that  the  domain  and  range  of  the  functions  of  interest  be 
expanded  to  include  real-valued  variables  as  well  as  discrete-valued  variables.  Following  the 
development  of  hybrid  control  theory  as  discussed  by  Lygeros,  Pappas,  and  Sastry  (Lygeros,  Pappas,  & 
Sastry,  1999),  we  consider  the  functional  behavior  (input  output  mapping)  of  a  complex  system,  S,  to  be 
closely  approximated  by  a  hybrid  automaton,  S,  which  captures  the  logical  and  physical  constraints  on 
system  evolution:  S  =  {X,  V,  Init,  /,  Inv,  R)  where 

X  is  a  finite  collection  of  state  variables.  We  assume 

X  -  {Xjj  uX^)  with  Xq  countable  and 

Xc  e  9^"  ; 

F  is  a  finite  collection  of  input  variables.  We  assume 
V  =  (Vj^  '^^c)  countable  and  g  9^"  ; 

Init  X  is  a  set  of  initial  states; 

/  :  X  X  F  — >  Xp  is  a  vector  field,  assumed  to  be 
globally  Lipschitz  in  X^  and  continuous  in  X^  ; 

Inv^XxV  is  an  invariant  set; 

R  X  xV  ^2^  \S3  reset  relation. 

We  refer  to  x  e  X  as  the  state  of  S  and  to  v  e  F  as  the  input  of  S . 

Associated  with  this  model  are  rigorous  definitions  of  continuous  and  discrete  states  and  associated 
models  of  continuous  behaviors  and  discrete  behaviors  and  hybrid  (combination  of  continuous  and 
discrete)  behaviors.  These  behaviors  consist  of  continuous,  discrete  and  hybrid  trajectories  from  a  set  of 
initial  states  to  a  set  of  final  states.  The  complete  power  of  the  hybrid  modeling  approach  is  not  needed 
for  each  component  (and  may  not  be  desireablel).  For  some  (maybe  most)  of  the  components,  a 
discrete  model  such  as  that  used  by  Bell  and  La  Padula  is  sufficient.  Likewise,  for  some  components,  a 
continuous-system  model  is  sufficient.  The  hybrid  model  is  used  when  the  future  states  of  the 
composed  system  includes  parameters  of  interest  which  exhibit  both  discrete  and  continuous  behaviors 
(evolutions).  We  are  convinced  that  for  our  particular  problem  space,  the  hybrid  model  is  generally 
required  for  capturing  the  range  of  parameter  values  of  interest  for  complex  system  evolution.  Our 
problem  space  of  interest  in  this  paper  is  that  which  can  adequately  represent  tactical-level  military 
operations  where  success  in  humanitarian  assistance/disaster  recovery  (FIADR)  operations  requires 
reasoning  about  trustworthiness  of  information  elements  to  be  flowed  between  distributed  information 
nodes  in  a  manner  which  (1)  increases  the  value  of  information  available  for  goal-oriented  decisions  in 
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accordance  with  the  intent  of  the  commander  taking  into  account  that  some  of  the  information 
elements  vary  continuously  with  time  and  space,  and  (2)  which  complies  with  a  command  decision  to 
share  information.  It  is  interesting  to  note  that  addressing  item  one  above  (flowing  valued  information) 
was  a  subject  of  discussion  at  the  time  the  creators  of  the  original  Bell-La  Padula  model  were  working  on 
their  model  (Bell  D.  E.,  2005),  (Landwehr,  Heitmeyer,  &  Mclean,  1984),  (Denning,  1976),  at  least  in  terms 
of  seeking  to  analyze  information  security  in  terms  of  information  flow.  While  this  paper  seeks  to  extend 
the  framework  of  Bell  and  La  Padula  in  terms  of  a  formal  treatment  of  general  systems  modeling  and 
information  sharing,  we  remark  that  the  implementation  details,  in  addition  to  following  the  Bell-La 
Padula  extensions  in  terms  of  information  security  and  sharing,  will  also  be  achieved  as  extensions  to 
the  current  military  messaging  systems  in  terms  of  information  flow  between  network  nodes.  As 
indicated  by  John  McLean,  there  has  long  been  considerable  interest  in  fashioning  the  treatment  of 
security  in  the  same  manner  as  Shannon  had  done  for  information  theory  by  establishing  the  science  for 
determining  channel  capacity  (McLean,  1990).  McLean's  treatment  of  information  flow  considers  bi¬ 
directional  flow  of  information  as  preserving  security  for  causal  systems  if  the  security  state  of  the 
information  object  of  interest  is  considered  at  different  instances  of  time.  However,  McLean's 
treatment  does  not  consider  continuous  values  in  time  and  space  and  also  does  not  consider  the  case  in 
which  information  value  decays  over  time  or  distance  from  where  it  is  most  useful.  Bell's  review  in  2005 
of  the  Bell-La  Padula  model  states:  "Consideration  of  access  modes  led  to  the  unexpected  identification 
of  a  hard-to-name  information  flow  property,  the  *  -property.  The  relation  1/1/ that  conceptualized 
allowable  changes  of  state  was  not  constructive  and  was  therefore  insufficient  for  the  analysis  and 
formulation  of  core  system  calls  that  change  the  security  state.  (Bell  D.  E.,  2005)"  The  *  -property  refers 
to  the  basic  constraint  of  information  flow  across  a  security  level  in  the  Bell-La  Padula  model  as  allowing 
"no  read-up,  no-write-down"  operations  (Figure  1  and  Figure  2  of  Bell  D.E.,  2005).  Thus,  decision 
support  tools  available  to  commanders  today  continue  to  rely  on  security  models  which  restrict  analysis 
to  parameters  whose  values  are  members  of  sets.  This  restriction  does  not  enable  reasoning  about 
parameters  of  interest  whose  values  change  continuously.  An  example  of  situations  in  which  reasoning 
about  continuously-varying  parameters  is  essential  for  mission  success  is  provided  in  the  appendix. 

Flowing  Information 

As  indicated  by  a  key  individual  in  implementing  the  current  security  features  available  in  Java,  Li  Gong, 
"Fred  Schneider,  a  key  member  of  the  Java  Security  Advisory  Council,  together  with  his  PhD  student  at 
Cornell,  Ulfar  Erlingsson,  proposed  Inline  Reference  Monitors,  which  promised  not  only  a  mechanism  to 
completely  separate  security  policy  from  enforcement  (via  bytecode  rewriting)  but  also  a  theoretical 
proof  that  the  solution  was  extremely  expressive  -  it  is  able  to  encode  all  enforceable  policies  (Gong, 
2009)."  The  idea  of  incrementally  adding  security  features  as  information  flows  through  a  system  has 
also  been  investigated  by  Tse  and  Zdancewic:  "In  addition  to  allowing  more  expressive  security  policies, 
run-time  principals  enable  the  integration  of  language-based  security  mechanisms  with  other  existing 
approaches  such  as  Java  stack  inspection  and  public  key  infrastructures.  We  sketch  an  implementation 
of  run-time  principals  via  public  keys  such  that  principal  delegation  is  verified  by  certificate  chains  (Tse  & 
Zdancewic,  2007)."  Incremental  manipulation  of  signals  overtime  is  also  an  attribute  of  causal  systems 
which  are  the  category  of  systems  considered  by  the  controls  community.  The  hybrid  automaton 
modeling  approach  has  been  developed  within  the  control  community  for  analysis,  design  and 
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implementation  of  distributed  (networked)  control  systems.  The  technology  enables  a  more  rigorous 
analysis  of  the  Service  Oriented  Architecture  (SOA)  or  middleware  approach  for  distributed  system 
development  whereby  applications  use  well-defined  interfaces  to  access  services  from  other  local  and 
distributed  applications  (the  service  or  middleware)  in  order  to  enable  achieving  desired  functionality. 

By  appropriate  choice  of  the  domain  and  range  of  the  functional  system  (hybrid  automaton)  (and  a  set  Z 
to  represent  outputs  when  necessary),  one  can  closely  represent  some  situation  of  particular  interest 
and  reach  significant  conclusions  about  that  situation. 

Secure  Computer  Systems 

As  well  stated  by  Bell  and  La  Padula  and  extensively  developed  since  their  paper,  a  large  number  of 
systems  have  been  implemented  which  address  the  general  problem  of  security  in  some  form  and  to 
some  extent.  For  some  implementations  of  secure  systems,  privacy  of  data  is  the  principal  objective;  in 
others,  the  prime  objective  is  access  control,  and  in  others  availability  of  system  resources  and/or 
capabilities  may  dominate  tradeoff  decisions  between  risk  and  functionality  (Ross,  Katzke,  Johnson, 
Swanson,  &  Stoneburner,  2008).  As  was  the  case  when  Bell  and  La  Padula  made  their  contribution  in 
1973,  for  the  security  criteria  which  we  shall  establish,  however,  no  existing  system  of  which  we  are 
aware  is  adequate.  That  is,  to  our  knowledge,  no  one  has  extended  the  Bell  and  La  Padula  model  to 
either  explicitly  include  compositions  of  continuous  and  discrete  system  components  nor  has  anyone 
extended  the  model  to  include  support  for  declaration  of  a  "need  to  share"  information. 

We  accept  the  Bell  and  La  Padula  definition  of  a  secure  computer  system.  That  is,  we  mean  one  which 
satisfies  some  definition  of  "security"  where  our  interest  in  security  is  in  the  usual  military  and 
governmental  senses  in  which  security  relating  to  information  elements  is  determined  in  terms  of  a 
range  of  security  classifications  (UNCLASSIFIED,  CONFIDENTIAL,  SECRET,  TOP  SECRET, ...)  for  those 
information  elements  and  also  in  terms  of  a  user's  "need-to-know"  those  information  elements. 
Flowever,  in  addition  to  the  above  notion  of  a  secure  computer  system,  we  add  discussion  of  the  "need 
to  share"  information  elements.  That  is,  our  interest  in  sharing  is  in  the  usual  military  and  governmental 
senses  in  which  sharing  decisions  regarding  information  elements  are  made  in  terms  of  a  range  of 
security  classifications  (UNCLASSIFIED,  CONFIDENTIAL,  SECRET,  TOP  SECRET, ...)  for  those  information 
elements  and  also  in  terms  of  a  commander's  decision  of  a  "need-to-share"  selected  information 
elements  with  selected  users  and/or  groups. 

Also,  while  we  shall  investigate  a  bounded  subset  of  the  general  problem  of  computer  security  for 
networked  devices,  the  problem  is  chosen  to  be  representative  of  the  more  general  problem  of 
improving  our  understanding  (prediction)  of  the  future  states  of  sets  of  interdependent  complex 
networks  of  infrastructures  (James,  Dodge,  Graham,  &  St.  Leger,  2009)  and  the  populations  which  use 
them  (Thompson,  2006).  Indeed,  the  more  general  problem  for  operationally-significant  information 
elements  is  to  value  the  information  relative  to  its  trustworthiness  and  temporal  and  spatial  relevance 
(James  J.  R.,  Thoughts  on  Information  Operation  Detection  as  a  Nonlinear,  Mixed-Signal  Identification 
Problem:  A  Control  Systems  View,  2000;  James  &  Mabry,  Building  Trustworthy  Systems:  Guided  State 
Estimation  as  a  Feasible  Approach  for  Interpretation,  Decision  and  Action  Based  on  Sensor  Data,  2004) 
(James  &  McClain,  Tools  and  Techniques  for  Evaluating  Control  Architecture,  1999).  That  is,  the  issue  of 
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valuation  and  sharing  of  battlespace  data  is  directly  tied  to  estimating  trust  among  the  participants  in 
providing  information  artifacts  concerning  battlespace  state  as  well  as  in  estimating  the  temporal  and 
spatial  degradation  of  the  relevance  of  the  information  between  different  points  among  the  battlespace 
dimensions. 

As  in  the  case  of  the  Bell-La  Padula  paper,  our  interest  in  this  paper  is  in  a  bounded  subset  of  the  general 
certification  problem  (Ross,  Katzke,  Johnson,  Swanson,  &  Stoneburner,  2008)  which  is  to  provide  an 
approach  to  certify  security  status  within  a  single  computer  (i.e.  a  single  component  of  an  information 
system  comprised  of  a  network  of  devices).  That  is,  we  seek  to  certify  that  a  security  compromise  has 
not  occurred  within  a  given  computer.  In  addition,  we  also  seek  to  certify  that  a  sharing  compromise 
(failure  to  share  elements  of  information  which  have  been  marked  as  "need  to  share")  has  not  occurred 
within  a  given  computer.  As  with  Bell  and  La  Padula,  the  entities  with  which  we  shall  deal,  then,  are 
those  appropriate  for  consideration  on  a  single  computer:  applications,  data,  algorithms  which  control 
access  to  data,  classifications  of  data  elements  and  applications,  the  "need-to-know"  status  of  computer 
entities,  and  the  "need-to-share"  status  of  computer  entities. 

Problems  of  Security 

Absolute  security  is  not  known  to  be  achievable  with  available  science  and  technology.  The  approach 
taken  by  the  National  Institute  of  Standards  and  Technology  (NIST)  under  the  authority  of  the  Federal 
Information  Systems  Management  Act  (FISMA)  is  to  make  explicit  decisions  regarding  balancing 
functionality  with  risk  and  to  certify  systems  for  operation  after  putting  acceptable  controls  in  place  to 
achieve  the  selected  level  of  risk  (Ross,  Swanson,  Stoneburner,  Katzke,  &  Johnson,  2004).  For  military 
operations,  there  are  situations,  such  as  Flumanitarian  Assistance/Disaster  Recovery  (HADR)  operations, 
where  mission  success  requires  that  relevant  operational  information  be  shared  with  individuals  and 
groups  not  normally  among  those  with  whom  we  share  operational  information.  A  widely-recognized 
operational  shortfall  is  an  inability  to  provide  automated  support  to  operational  decisions  to  share 
information.  One  need  is  to  provide  automation  support  to  small  unit  commanders  to  exercise  military 
judgment  and  choose  what  information  to  share  with  whom  and  when  to  share  the  information.  At  the 
same  time,  provision  of  that  support  to  automatically  share  relevant  information  need  for  mission 
success,  must  be  implemented  in  such  a  fashion  as  to  not  lead  to  security  compromises  of  information 
which  remains  in  a  "need  to  know"  status. 

Following  Bell  and  La  Padula,  we  consider  a  security  compromise  to  be  unauthorized  access  to 
information,  where  unauthorized  means  that  an  inappropriate  clearance  or  a  lack  of  need-to-know  is 
involved  in  the  access  to  the  information.  The  approach  taken  by  Bell  and  La  Padula  (Bell  &  LaPadula, 
1973)  solved  the  problem  within  a  single  computing  system  concerning  how  to  guarantee  that 
unauthorized  access  (by  an  application)  to  information  does  not  occur. 

Summary 

In  section  I  we  have  provided  a  brief  overview  of  general  systems  theory  and  discussed  the  need  to 
protect  (prevent  security  compromise)  of  information  which  needs  to  be  protected  and  share  (prevent 
sharing  compromise)  of  information  which  needs  to  be  shared. 
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SECTION  II  FOUNDATIONS  OF  A  MATHEMATICAL  MODEL  FOR  SECURING 
AND  SHARING  INFORMATION 


Elements  of  the  Model 

Table  I  below  is  a  modification  of  Table  II  in  the  original  Bell  and  La  Padula  model  (Bell  &  LaPadula,  1973) 
to  include  the  capability  of  modeling  compositions  of  continuous  and  discrete  system  components  (the 
objects  in  the  model)  and  also  to  include  the  ability  to  reason  about  a  command  decision  to  share 
information  (the  signal  G  and  the  functions  fs  and  fe). 

We  add  an  assumption  regarding  the  need  to  share  information  to  the  set  of  Bell-La  Padula  assumptions 
concerning  the  computer  system  of  interest.  That  is,  we  assume: 

1.  the  system  has  multiple  users  operating  concurrently  on  a  common  data  base , 

2.  the  system  operates  with  multi-level  classifications  for  both  users  and  data, 

3.  the  system  has  need-to-know  categories  associated  with  both  users  and  data,  and 

4.  the  system  has  need-to-share  categories  associated  with  both  users  and  data. 

Bell  and  La  Padula  discussed  their  model  in  terms  of  sets,  elements  of  the  sets,  and  an  interpretation  of 
the  elements  of  the  sets.  Instead  we  follow  the  more  general  interpretation  of  the  information  flow 
problem  as  being  associated  with  input  and  output  signals  (some  signals  may  be  sets)  and  systems, 
which  transform  signals. 


Table  I 

Elements  of  the  Model 


Signal 

Elements 

Semantics 

5 

Subjects;  processes,  programs  in  execution 

0 

{0^.0-,- 

objects;  data,  files,  programs,  subjects. 

Note:  as  in  Section  1,  an  object  can  have 
either  (or  both)  continuous  and  discrete 

attributes  -  with 

countable  and  0,,,^  e  9^" 

C 

classifications;  clearance  level  of  a  subject. 

Ki  >  C, 

classification  of  an  object 

K 

■.hr} 

need-to-know  categories;  project  numbers, 
access  privileges 

G 

Cf2  f  " 

■.Gi} 

need-to-share  categories;  project  numbers, 
access  privileges. 

A 

■■ 

access  attributes;  read,  write,  copy,  append, 
owner,  control, ... 

R 

reguests;  inputs,  commands,  requests  for 
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access  to  objects  by  subjects 

D 

decisions;  outputs,  answers,  "yes",  "no", 
"error" 

T 

a  2  -.t.-} 

indices;  elements  of  the  time  set; 
identification  of  discrete  moments;  an 
element  t  is  an  index  to  request  and  decision 
sequences 

Per 

All  subsets  of  ^ 

power  set  of  ^ 

All  functions  from  the  set  ^ 

To  the  set  ^ 

axp 

{(c,  &):  ci  G  a,b  s  0} 

Cartesian  product  of  the  sets  ^  and  / 

F 

C^xC°x  iPK)^  X  (PK)°  X  (PG)^  X  iPG}° 

An  arbitrary  element  of  F  is 

written/" 

ciassification/need-to-know/need-to-share 

vectors; 

fi:  subject-classification  function 
^2.  object-classification  function 
fa:  subject-need-to-know  function 
f4:  object-need-to-know  function 
fs:  subject-need-to-share  function 
fe:  object-need-to-share  function 

X 

An  arbitrary  element  of  X 

Is  written  x 

request  sequences 

Y 

An  arbitrary  element  of  Y 

Is  written  y 

decision  sequences 

M 

C  —  717712^ 

An  element  of"^'^  is  an 

71  X  ?n  matrix  with  entries 
from  PA ;  the  -entry  of 

shows  ■5^:  's  access 

Attributes  relative  to 

access  matrices 

V 

PCS  X  0)  X  M  X  F 

states 

Z 

an  arbitrary  element  of  Z 

is  written  2;  e  z  jg  the 

t-th  state  in  the  state 

sequence  z 

state  sequences 

States  of  the  System 

We  again  follow  the  Bell-La  Padula  model  of  system  state  (with  the  extension  to  consider  both 
continuous-  and  discrete-valued  variables  as  state  variables)  as  being  sufficient  for  determining  both  the 
security  of  a  given  computer  system  and  also  the  compliance  of  the  system  with  a  commander's 
decision  to  share  information. 


7 


A  state  ^  is  a  3-tuple  (b,M,f)  where 

b  G  PCS  X  0)^  indicating  which  subjects  have  access  to  which  objects  in  the  state  v; 

M  G  M  Indicating  the  entries  of  the  access  matrix  in  the  state  v; 
and 

/  ^  ^  ,  indicating  the  clearance  level  of  all  subjects,  the  classification  level  of  all  objects,  the  need-to- 
know  associated  with  all  subjects  and  objects  in  the  state  v,  and  the  need-to-share  associated  with  all 
subjects  and  objects  in  the  state  v. 

We  comment  that  a  major  difference  in  achieving  automated  assistance  of  a  need  to  share  compared  to 
a  need-to-know  is  that  command  decisions  to  share  will  associate  individuals  (subjects)  not  normally 
authorized  access  with  specific  information  (objects).  Thus,  we  assume  (and  any  implementation  must 
ensure),  that  the  set  of  information  objects  annotated  with  need-to-know  attributes  and  the  set  of 
information  objects  annotated  with  need-to-share  attributes  are  disjoint  sets. 

State-Transition  Relation 

Let  X  ^  X  l''  X  (i.e  the  Cartesian  product  of  the  sets  of  requests,  decisions,  current  state  and 

prior  state).  The  system  ^  j  ^  >^a')  ^  X  xY  xZ  is  defined  by 

(x.y.z)  6  UR,D,W,Zo)  if  and  only  if  e  W  for  each  ^  e  T  ^ 

where  Zq  is  a  specified  initial  state  usually  of  the  form  ((t),M,f),  where  4)  denotes  the  empty  set. 

As  discussed  in  Section  I,  in  general  \s  a  hybrid  automaton:  The  system  can  be  considered  as  a 
mapping  which  transformsthe  input  to  the  output: 

W  =  {X,  V,  Init,  f,  Inv,  R) 

For  purposes  of  proving  desired  security  and  sharing  properties,  W  has  been  defined  as  a  relation.  It  can 
be  specialized  to  be  a  function,  although  this  is  not  necessary  for  the  development  herein.  When 
considering  design  questions,  however,W  will  be  a  function,  specifying  next-state  and  next-output.  W 
should  be  considered  intuitively  as  embodying  the  rules  of  operation  by  which  the  system  in  any  given 
state  determines  the  current  decision  for  a  current  request  and  moves  into  a  next  state.  Concerning  the 
distinction  between  relations,  which  in  this  paper  are  declarative  in  nature  versus  functions,  which  may 
also  be  procedural  in  nature,  it  is  information  to  be  aware  of  the  distinction  between  declarative  and 
imperative  functions  (pages  56-57  of  (Lee  &  Varaiya,  2002)).  As  pointed  out  by  Lee  and  Varaiya,  a 
declarative  definition  of  the  square  root  as: 

is  the  unique  value  of  y  G  Steals  suck  that  =  x  does  not  tell  us  how  to 
calculate  the  square  root.  However,  an  imperative,  or  procedural  implementation  of  the  function 
SquareRootix)  would  yield  a  value,  y,  whose  square,  y^  might  not  equal  x  but  would  be  approximately 
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equal  to  x.  Thus,  it  is  important  to  consider  the  distinction  between  logical  assertions  of  relations  which 
are  provably  correct  and  procedural  implementations  of  declarative  relations  which  may  yield 
approximations  of  variables  of  interest.  This  will  usually  be  the  case  for  continuous  variables  whose 
values  change  over  time  and  space  since  the  dependent  variable  values  change  with  infinitesimal 
temporal  and  spatial  variations  yet  we  make  decisions  over  intervals  of  time  and  space  for  operational 
decisions. 

Summary 

In  this  section  we  have  modified  the  Bell-La  Padula  model  for  analyzing  security  compromises  (the  basis 
for  multi-level  security  systems)  to  add  a  capability  to  analyze  compositions  of  discrete  and  continuous 
models  and  also  added  a  capability  to  analyze  information  sharing  compromises  (failure  to  share 
information  declared  sharable  by  a  commander). 


SECTION  III  A  FUNDAMENTAL  RESULT 

Compromise,  Security  of  Information  and  Sharing  of  Information 

Following  Bell-La  Padula,  we  define  a  compromise  state  as  follows; is  a  compromise 
state  (security  or  sharing  compromise)  if  there  is  an  ordered  pair  0)  e  &  such  that 

(i)  f|(S)  <  f2(0),  a  security  compromise,  or 

(ii)  f3(S)  2  f4(0),  a  security  compromise,  or 

(iii)  )  f5(S)  ^  f6(0),  a  sharing  compromise. 

In  other  words,  v  is  a  compromise  if  the  current  allocation  of  objects  to  subjects  (b)  includes  an 
assignment  ((S,0))  with  at  least  one  of  three  undesirable  characteristics: 

(i')  S's  clearance  is  lower  than  O's  classification; 

(ii')  S  does  not  have  some  need-to-know  category  that  is  assigned  to  0,  or 

(iii)  S  does  not  have  some  need-to-share  category  that  is  assigned  to  0. 

In  order  to  make  later  discussions  and  arguments  a  little  more  succinct,  we  shall  define  a  security  and 
sharing  condition,  0)  g5  xO  satisfies  the  security  and  sharing  condition  relative  to  f 

(SC  re  I  f)  if 

(iv) f|(S)^  f2(0),  and 

(v) f3(S)3  f4(0),  and 

(vi) )f5(S)3  f6(0). 
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A  state  ^  is  a  secure  state  if  each  0)  g  &  satisfies  SC  rel  f. 

In  the  remainder  of  this  section  we  follow  the  development  of  Bell  and  La  Padula  but  add  the  discussion 
needed  to  consider  enabling  a  commander's  decision  to  share  some  elements  of  information.  As  in  Bell 
and  La  Padula's  development,  we  present  a  table  which  summarizes  some  constraints  on  the  system 
subjects  and  objects  and  then  prove  a  basic  security  and  sharing  theorem. 

Proposition:  v  ^  V  is  not  a  secure  state  iff  v  is  a  compromise. 

A  state  sequence  z  ^  Z  has  a  compromise  if  Zt  is  a  compromise  for  some  t  ^  T.  z  is  a  secure  state 
sequence  if  Zt  is  a  secure  state  for  each  t  ^  T.  We  shall  call  (x,y,z)  ^  ^  (R,D,W,Zo)  an  appearance  of  the 
system.  (x,y,z)  ^  (R,D,W,Zo)  is  a  secure  appearance  if  z  is  a  secure  state  sequence.  The  appearance 
(x,y,z)  has  a  compromise  if  z  has  a  compromise. 

^  (R,D,W,Zo)  is  a  secure  system  if  every  appearance  of  ^  (R,D,W,Zo)  is  secure. 

^  (R,D,W,Zo)  has  a  compromise  if  any  appearance  of  ^  (R,D,W,Zo)  has  a  compromise. 

Proposition:  z  ^  Z  is  not  secure  iff  z  has  a  compromise. 

Proposition:  ^  (R,D,W,Zo)  is  not  secure  iff  ^  (R,D,W,Zo)  has  a  compromise. 

Constraints 

We  make  constraints  (assumptions),  as  shown  in  Table  III,  which  reflect  a  subset  of  requirements 
(actually  a  lack  of  requirements)  to  be  imposed  on  the  system.  In  Section  IV  we  shall  change  some  of 
these  assumptions  and  observe  the  effect  on  the  system. 

Table  II 


Initial  Requirements 


REQUIR 

EMENTS 

RAISE? 

LOWER? 

SUBJECT  CLEARANCE 

NO 

NO 

OBJECT  CLASSIFICATION 

NO 

NO 

INCREASE? 

DECREASE? 

SUBJECT  NEEDS-TO-KNOW 

NO 

NO 

OBJECT  NEEDS-TO-KNOW 

NO 

NO 

INCREASE? 

DECREASE? 

SUBJECT  NEEDS-TO-SHARE 

NO 

NO 

OBJECT  NEEDS-TO-SHARE 

NO 

NO 

We  remark  that  the  novel  contribution  of  this  paper  to  the  previously-established  treatment  of  multi¬ 
level  security  systems  lies  in  the  observation  that,  if  we  ensure  that  "classified  objects"  and  "sharable 
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objects"  are  disjoint  sets,  then  the  same  framework  for  treatment  of  classified  objects  can  be  used  for 
shareable  objects.  Thus,  the  constraints  of  Table  II,  in  effect,  say  that  "no"  is  the  answer  to  each  of  the 
questions  "Is  there  a  requirement  to  (raise  /  lower  /  increase  /  decrease)  a  (subject's  /  object's) 
(classification  or  clearance  /  needs-to-know  /  needs-to-share)?". 

Basic  Security  and  Sharing  Theorem 

Basic  Security  Theorem: 

LetWt—  Rt  ^  Dt  ^  Vt  ^  Vt-i  be  any  relation  such  that  (Ri,Dj,(b*,M*,f*),(b,M,f)  ^  W 
implies 

(i)  f  =  f*  and 

(ii)  every  (S,0)  ^  b*  -  b  satisfies  SC  rel  f*. 

Then:  ^  (R,D,W,z  )  is  a  secure  system  for  any  secure  state  z  . 

Proof:  Let  Zq  =  (b,M,f)  be  secure.  Pick  (x,y,z)  ^  ^  (R,D,W,z)  and  write  ~  for  each 

t  E  r  . 

Zi  is  a  secure  state.  (xi,yi,Zi,z  )  ^  W.  Thus  by  (i),  f*^’  =  f.  By  (ii),  every  (S,0)  in  b*^’  -  b  satisfies  SC  rel  f*^’. 
Since  z  is  secure,  every  (S,0)  ^  b  satisfies  SC  rel  f.  Since  f  =  f*'*,  every  (S,0)  ^  b*^’  satisfies  SC  rel  f*^’.  That 
is  Zi  is  secure. 

Ifzt-i  is  secure,  Zt  is  secure.  (xt,yt,Zt,Zt_i)  ^  W.  Thus  by  (i),  f  **’  =  f‘*“^’  By  (ii),  every  (S,0)  in  b**’  -  b‘*“^’ 
satisfies  SC  rel  f**’.  Since  Zt-i  is  secure,  every  (S,0)  ^  b**”^’  satisfies  SC  rel  f  Since  f  =  f**”^’,  every  (S,0) 
^  b(t)  satisfies  SC  rel  f(t).  That  is,  Zt  is  secure.  By  induction,  z  is  secure  so  that  (x,y,z)  is  a  secure 
appearance.  (x,y,z)  being  arbitrary,  ^  (R,D,W,Zo)  is  secure. 


Summary 

In  this  section  we  have  applied  the  mathematical  model  of  Section  II  to  the  modeling  of  a  secure 
computer  system  which  also  supports  sharing  information  with  coalition  partners  and  non-government 
agencies.  We  have  defined  a  secure  system  precisely,  through  the  definitions  of  security  and  sharing 
compromises,  and  have  given  a  rule  of  operation,  W,  which  we  have  shown  guarantees  that  the  system 
is  secure  in  its  operation  while  also  sharing  information  as  authorized  by  a  commander. 
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SECTION  IV  CONCLUSION 


Introduction 

In  Section  I  we  discussed  the  motivation  and  basis  for  this  paper.  We  pointed  out  advancement  of 
general  system  theory  since  the  time  of  the  original  Bell-La  Padula  model  and  mentioned  the  need  to 
support  access  to  information  based  upon  a  commander's  decision  to  share  the  information. 

Subsequently,  we  extended  the  Bell-La  Padula  mathematical  model  of  for  study  of  secure  computer 
systems,  to  include  considerations  of  compositions  of  logical  and  continuous  system  components  as  well 
as  considerations  of  meeting  requirements  for  sharing  information  and  the  notion  of  a  sharing 
compromise. 

We  then  applied  the  extended  model,  under  a  given  set  of  assumptions,  to  the  question  of  security  of 
information  and  sharing  of  information  (security  compromise  and  sharing  compromise).  We  gave  a  rule 
by  which,  for  the  assumptions  given,  the  system  would  remain  secure  in  its  operation  for  information 
requiring  a  need-to-know  while  also  enabling  sharing  of  information  in  accordance  with  a  commander's 
declaration  of  a  need-to-share. 

As  in  the  case  for  the  original  Bell-La  Padula  security  result,  an  important  point  for  the  security  and 
sharing  result  is  that  the  proof  did  not  depend  on  the  choice  of  elements  for  the  access  attributes(the 
set  A).  This  means  that  any  access  set  is  acceptable  and  any  access  matrix  is  acceptable.  Stated 
differently,  the  proof  process  has  shown  that,  under  the  given  assumptions,  security  of  the  system  is 
independent  of  the  access  matrix  and  the  rules  (if  any)  by  which  the  access  matrix  is  changed. 

Thus,  to  the  extent  that  access  can  be  made  arbitrarily  difficult,  we  have  modeled  the  system  in  such  a 
manner  that  complying  with  the  model  restrictions  may  result  in  a  system  which  is  not  of  practical  use. 
This  section  will  address  some  of  the  specific  questions  to  be  considered  if  a  viable  system  is  to  be 
developed  from  the  extended  Bell-La  Padula  model. 

Problem  Reformulation 

We  seek  to  address  problems  which  relate  to  compositions  of  discrete  (logical)  and  continuous 
(physical)  models  whose  behaviors  approximate  those  of  complex  systems  of  interest.  Following  Bell 
and  La  Padula,  we  will  first  change  the  requirements  listed  in  Table  II  and  derive  a  result  related  to 
sharing  information  which  has  been  declared  as  shareable  while  maintaining  security  of  information 
which  remains  categorized  as  "need-to-know".  from  the  changed  assumptions.  We  will  then  discuss 
criteria  to  be  met  by  the  access  control  mechanisms  in  order  to  maintain  the  declared  constraints  on  the 
disjoint  sets  of  "need-to-know"  and  "need-to-share"  information  elements. 
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Table  III 


Requirements 


REQUIR 

EMENTS 

RAISE? 

LOWER? 

SUBJECT  CLEARANCE 

YES 

NO 

OBJECT  CLASSIFICATION 

NO 

YES 

INCREASE? 

DECREASE? 

SUBJECT  NEEDS-TO-KNOW 

YES 

NO 

OBJECT  NEEDS-TO-KNOW 

NO 

YES 

INCREASE? 

DECREASE? 

SUBJECT  NEEDS-TO-SHARE 

YES 

NO 

OBJECT  NEEDS-TO-SHARE 

NO 

YES 

Basic  Security  Theorem  (revised  with  sharing): 

LetWt—  Rt  ^  Dt  ^  Vt  ^  Vt-i  be  any  relation  such  that  (Ri,Dj,(b*,M*,f*),(b,M,f))  ^  W 
implies 

(i)  f*i(S)  ^  fi(S)  for  each  S  ^  S, 
f*2(0)  ^  f2(0)  for  each  0^0, 
f*3(S)  ^  fsiS)  for  each  S  ^  S, 
f*4(0)  ^  f4(0)  for  each  0^0, 
f*5(S)  ^  fsiS)  for  each  S  ^  S, 
f*6(0)  ^  felO)  for  each  0^0  and 

(ii)  every  (S,0)  f*3(S)  ^  f3(S)  for  each  S  ^  S, 

f*4(0)  ^  f4(0)  for  each  O  ^  O  b*  -  b  satisfies  SC  rel  f*, 
every  (S,0)  f*5(S)  ^  b*  -  b  satisfies  SC  rel  f*. 

Then  ^  (R,D,W,Zo)  is  a  secure  system  for  any  secure  state  Zq. 

Proo/- Let  Zo  =  (b,M,f)  be  secure.  Pick  (x,y,z)  ^  ^  (R,D,W,z)  and  write 
Zt  =  (b“’,  M'‘>,f<*>)foreachtE  T. 


13 


Zi  is  a  secure  state.  (xi,yi,Zi,Zo)  ^  W.  By  (ii),  every  (S,0)  in  -  b  satisfies  SC  rel  .  Since  z  is  secure, 
every  (S,0)  in  b  satisfies  SC  rel  f;  that  is,  fi(S)  —  f2(0),  f3(S)  —  f4(0),  and  f5(S)  —  feCO).  By  (i),  we  have, 
for  each  (S,0)  in  b'^>-(b'^>-b), 

fi‘'’(S)^  fi(S)^  f2(0)^  f2'''(0), 

f3™(S)3  f3(S)3  f,(0)3  f4™(0),and 

f5™(S)3  f5(S)3  f6(0)3  f6™(0) 

SO  that  each  (S,0)  in  b‘^’  satisfies  SC  rel  f‘^’.  That  is,  Zi  is  secure. 

Ifzt-i  is  secure,  then  Zt  is  secure.  (xt,yt,Zt,Zt.i)  ^  W.  By  (ii),  every  (S,0)  in  b**’  -  b**'^’  satisfies  SC  rel  f**’.  Since 
Z  t-i  is  secure,  every  (S,0)  in  b**'^’  satisfies  SC  rel  f**'^*'  that  is, 
f,(t-i)(S)  >  f2(«'(0), 
f3'*  '’(S)  3  f4'“’(0),  and 

f5(M)(s)3 

By  (i),  we  have  for  each  (S,0)  in  b'‘>  -  (b'‘>  -  b'‘'^>), 
fi“’(S)^  fi‘“’(S)^  f2'“>(0)^  f2“’(0), 
f3“’(S)-  f3‘“’(S)3  f/-i>(0)2  f4'‘’(0),and 

f5**’(S)  —  f5**'^’(S)  —  f6**’^’(0)  —  f6**’(0),  SO  that  each  (S,0)  in  b(t)  satisfies  SC  rel  f*^’. 

That  is,  Zt  is  secure.  By  induction,  z  is  secure  so  that  (x,y,z)  is  a  secure  appearance.  (x,y,z)  being 
arbitrary,  ^  (R,D,W,Zo)  is  secure. 

The  revised  theorem  just  proved  indicates  that  dynamic 

(i)  raising  of  subject  clearance; 

(ii)  lowering  of  object  classification; 

(iii)  increasing  of  subject  needs-to-know; 

(iv)  decreasing  of  object  needs-to-know 

(v)  increasing  of  subject  needs-to-share;  and 

(vi)  decreasing  of  object  needs-to-share 
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can  be  provided  in  the  system  without  security  compromise  or  sharing  compromise.  As  with  the  original 
Bell-La  Padula  result,  however,  the  proof  is  independent  of  what  is  happening  in  the  access  matrix.  We 
will  discuss  the  implications  of  the  changes  in  the  general  systems  model,  the  change  in  explicitly 
considering  a  security  category  devoted  to  sharing  information,  and  consider  the  implications  for 
flowing  valued  information  via  extensions  to  the  military  messaging  system  as  the  subject  of  the  next 
section. 

Access  Control 

In  Section  I  we  provided  a  hybrid  system  model  as  the  most  general  model  we  will  consider  for  this 
paper.  The  notation  of  sections  II  and  III  followed  the  notation  of  Bell  and  La  Padula  for  purposes  of 
extending  the  formal  logic  associated  with  defining  and  analyzing  system  security  in  terms  of  subject 
and  object  classification,  need-to-know,  and  need-to-share.  That  is,  sections  II  and  III  deal  only  with  set- 
based  approximations  of  complex  systems  (and  we  assume  that  sets  of  "need-to-know"  objects  and 
"need-to-share"  objects  are  disjoint  sets).  For  the  issue  of  access  control  of  information  representing  the 
state  of  a  complex  system,  we  revisit  the  hybrid  system  model  and  discuss  issues  associated  with 
maintaining  estimates  of  continuously-varying  parameters  associated  with  physical  systems  while 
making  logical  approximations  at  appropriate  instants  of  time.  For  this  purpose,  we  repeat  the  hybrid 
system  model  below. 

We  consider  the  functional  behavior  (input  output  mapping)  of  a  complex  system,  S,  to  be  closely 
approximated  by  a  hybrid  automaton,  S,  which  captures  the  logical  and  physical  constraints  on  system 
evolution:  S  =  {X,  V,  Init,  /,  Inv,  R)  where 

X  is  a  finite  collection  of  state  variables.  We  assume 

X  =  {Xjj  'U  Xf^)  with  Xq  countable  and 

X^e^"  ; 

F  is  a  finite  collection  of  input  variables.  We  assume 
V  =  (Vjj  U  Fp)  with  Vjj  countable  and  F^^  e  9^"  ; 

Initi^X  is  a  set  of  initial  states; 

/  :  XxV—^  X^  is  a  vector  field,  assumed  to  be  globally  Lipschitz  in  X^  and  continuous  in  X^  ; 
Inv^XxV  is  an  invariant  set; 
i?  :  X  X  F  ^  2^  is  a  reset  relation. 

We  refer  to  x  €  X  as  the  state  of  S  and  to  v  €  F  as  the  input  of  iS .  A  fundamental  issue  in  building 
approximate  models  is  the  tradeoff  between  model  accuracy  and  model  complexity.  While  Sections  II 
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and  III  provide  a  formal  result,  they  are  unfortunately  limited  to  problems  so  simple  (i.e.  set-based 
models  only)  to  be  of  limited  use  in  building  realistic  decision  support  tools  since  every  practical 
problem  exists  under  continuous  time  and  space  constraints  as  well  as  continuous  constraints  on 
physical  system  evolution  over  time  while  set-based  models  ignore  continuous  constraints.  Our 
challenge  in  applying  the  theory  of  Sections  II  and  III  to  access  information  stored  on  computing  and 
communications  networks  relating  to  real  events  and  real  physical  objects  is  then  to  deal  with  issues  of 
trust  and  viability.  Trust  constraints  are  associated  with  ensuring  that  the  information  being  analyzed 
meets  standards  of  confidentiality  and  integrity  as  well  as  metrics  associated  with  trusting  the  original 
source  of  the  information  (real  sensors  have  error  models  for  building  metrics  for  approximating  reality 
and  real  people  have  trust  issues  which  change  over  time  and  should  be  captured).  Viability  constraints 
are  associated  with  ensuring  that  the  composition  of  system  logical  components  and  physical 
components  represents  a  physically-realizable  system  (many  models  are  not  physically  realizable) 
(Aubin,  1991)  (Deshpande  &  Varaiya,  1995).  The  issue  of  viability  of  existence  of  a  solution  to  the 
composed  problem  is  dealt  with  in  the  controls  community  by  ensuring  that  "sufficiently  close" 
approximations  are  available  from  the  composed  components  used  to  generate  the  feedback  control 
laws  (digital  and/or  analog  signal  filters)  used  to  move  the  current  system  state  to  some  desired  future 
state.  Models  used  for  this  purpose  must  be  grounded  in  viable  solutions  to  approximating  (predicting) 
future  state  from  current  state  and  current  input  (the  system  identification  problem).  Validity  of  such 
models  is  only  assured  for  time-invariant  (stationary)  systems  or,  for  slowly  time-varying  systems,  for 
the  time  frame  in  which  the  system  parameters  have  not  changed  "significantly".  Future  reports  will 
deal  with  issues  of  trust  and  viability  for  scenarios  of  interest.  The  current  scenario  being  studied  for 
information  sharing  is  contained  in  the  appendix  for  a  platoon-level  Humanitarian  Assistance-Disaster 
Recovery  (HADR)  operation. 

Understanding  the  HADR  problem  (in  the  sense  of  building  models  which  predict  future  values/states  of 
parameters  of  interest)  at  the  platoon  level,  exhibits  the  full  range  of  complex  systems  analysis  issues 
we  are  interested  in  addressing.  This  scenario  of  an  earthquake  in  Afghanistan,  requires  a  unit  to  move 
to  a  new  location,  coordinate  with  local  leaders  and  non-government  agencies  to  provide  disaster  relief, 
and  provide  local  security  in  the  area  of  operations.  Given  that  the  local  government  and  economy  has 
been  affected  and  the  disaster  has  occurred  in  an  area  being  contested  between  the  Government  of  the 
Islamic  Republic  of  Afghanistan  (GIROA)  and  the  Taliban,  then  the  scenario  places  the  leader  in  the 
position  of  considering  political,  military,  economic,  social,  infrastructure,  and  information  (PMESII) 
outcomes  related  to  whatever  decisions  are  taken  in  attempting  to  assist  in  providing  disaster  relief. 
Furthermore,  available  analytical  techniques  for  determining  the  human  terrain  (social  and  cultural 
aspects  of  social  network  analysis  studies)  are  just  now  being  investigated.  While  predictive  models  of 
human  terrain  are  not  expected  to  be  available  for  some  time,  the  modeling  approach  described  above 
supports  the  broad  range  of  hybrid  system  modeling  techniques  that  have  been  used  in  the  past  for 
automatic  control  system  identification  (i.e.  data  analysis  to  determine  the  correct  model  type  and 
assign  model  parameters  to  predict  future  system  state),  system  control  law  design  (i.e.  feedback  filter 
design  to  cause  the  closed-loop  current  system  state  to  move  to  a  desired  future  system  state  in 
response  to  inputs  over  time),  and  control  law  implementation  and  update  (for  adaptive  control 
systems).  These  modeling  techniques  include  state-space  model  (linear  or  nonlinear,  statistical  or 
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deterministic,  stationary  or  non-stationary,  frequency/spectral-domain  or  time-domain)  models  as  well 
as  wavelet  models.  The  basic  issues  in  each  model  effort  includes  matching  model  parameters  to  actual 
system  data  and  determining  the  range  of  parameter  values  for  which  the  model  behavior  is  "close 
enough"  to  actual  system  behavior.  For  the  range  of  PMESII  problems  being  addressed  by  junior  leaders 
on  a  daily  basis,  we  are  as  yet  unable  to  achieve  acceptable  ("close-enough")  model  performance. 

Data  Base  Sharing 

The  original  Bell-La  Padula  paper  (Bell  &  LaPadula,  1973)  discussed  some  of  the  issues  associated  with 
implementing  the  security  results  on  a  shared  database  since,  at  the  time  the  paper  was  published,  this 
was  the  method  of  implementation  of  sharing  information.  We  observe  here  that  implementations  for 
sharing  data  over  networks  of  sensing,  communicating,  and  computing  devices  have  grown 
exponentially  over  the  intervening  36  years  and  will  probably  continue  to  grow  for  at  least  the  next  15 
years  as  Moore's  Law  continues  to  fuel  Information  Age  expansions.  Also,  Bell  subsequently  observed 
that  the  multi-level  security  result  obtained  from  the  original  paper  applies  to  networks  of  devices  (Bell 
D.  E.,  2005).  Thus,  our  efforts  to  apply  the  extensions  developed  in  Sections  II  and  III  above  will  focus  on 
the  trust  and  viability  issues  mentioned  above.  In  that  regard,  we  expect  to  extend  the  capabilities  of 
the  Android  smart  phone  to  prototype  information  sharing  technology  implementations. 

We  intend  to  initially  prototype  automation  support  which  implements  the  logical  constraints  imposed 
on  information  transfer  by  the  results  of  this  paper.  The  information  transfer  will  be  appropriate  for 
that  authorized  by  a  commander  in  executing  a  HADR  operation  and  will  simulate  a  commander  creating 
a  text  string  and  authorizing  the  string  to  be  shared  with  designated  individuals  over  a  designated  area 
for  a  designated  time.  We  will  move  the  string  (and  subsequent  responses  to  the  string)  across  security 
boundaries  among  network  nodes  in  accordance  with  a  declaration  of  a  "need-to-share"  while 
maintaining  constraints  on  other  information  whose  movement  is  constrained  by  a  "need-to-know". 

Summary 

We  have  provided  extensions  to  the  Bell  and  La  Padula  model  which  lay  the  groundwork  for:  (1)  building 
more  accurate  models  of  the  complex  operational  environments  of  today  and  tomorrow,  and  (2) 
providing  automation  support  for  a  commander's  decision  to  share  information  while  simultaneously 
maintaining  the  security  of  information  which  must  not  be  compromised. 

Indeed,  concerning  the  issue  of  sharing  information,  we  take  the  position  that  at  least  one  category  of 
data,  metadata,  should  be  shared  continuously  with  everyone,  all  of  the  time,  and  in  every  area  (e.g. 
information  metadata  for  all  categories  of  information  should  be  shared  with  all  categories  of  users). 
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Appendix  A:  Earthquake  Scenario 


Humanitarian  Assistance/Disaster  Recovery  (HADR)  Operation 
Earthquake  Scenario  (With  Information  Sharing) 

Operations  Order 

1.  Situation  Two  earthquakes  oeeurred  early  this  morning  in  Nangahar  Province  North  East 
of  Kabul,  Afghanistan.  Approximately  200  families  are  homeless  and  20  people  have 
been  killed.  There  is  a  need  for  food,  temporary  shelter,  water,  medical  aid,  and  search 
teams.  Our  platoon  will  depart  in  four  hours  to  provide  HADR  support  to  the  Provincial 
Reconstruction  Team  (PRT)  of  Nangahar  Province.  We  have  been  assigned  to  ??  Village, 
??  District,  Nangarhar  Province,  Afghanistan. 


2.  Mission  Provide  HADR  support  to  the  people  of??  Village,  ??  District,  Nangarhar 
Province  from  H  Hour  on  D  Day  until  relieved  (relief  in  place  expected  in  72  hours). 


3.  Execution  Phase  1  is  movement  to  the  village  area.  Phase  2  is  securing  the  village  and 
searching  for  additional  victims.  Phase  3  is  providing  recovery  assistance. 


During  Phase  I  the  Platoon  Leader  will  lead  an  advance  party  to  the  village  while  the 
Platoon  Sergeant  moves  the  platoon  into  the  village  area.  Phase  1  ends  when  the  Platoon 
Leader  briefs  the  platoon  on  the  advance  party  results  and  assigns  security  and  search 
areas. 


During  Phase  2  first  and  second  squads  will  provide  security  of  the  village  area  while 
third  and  fourth  squads  assist  villagers  in  searching  for  survivors  and  victims.  As  the 
search  is  underway  the  Platoon  Sergeant  will  lead  security  activities  and  the  Platoon 
Leader  will  lead  search  activities  and  coordinate  with  local  leaders,  government  and  non¬ 
government  agencies  concerning  feasible  recovery  assistance  activities.  Phase  2  ends 
when  the  village  leaders  indicate  all  inhabitants  are  accounted  for  or  that  the  search  for 
survivors  is  completed.  The  Platoon  Leader  will  then  assign  recovery  activities  to  each 
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squad  based  upon  the  results  of  coordination  with  local  leaders,  government  and  non¬ 
government  agencies. 


During  Phase  3  third  and  fourth  squads  will  provide  security  of  the  village  area  while  first 
and  second  squads  execute  assigned  recovery  activities.  Phase  3  will  continue  until 
relieved. 


4.  Command  and  Signal  Current  command  relations  are  unchanged.  Current  CEOI  will 
remain  in  effect.  There  will  be  United  Nations  (UN)  relief  organization  personnel  in  the 
area  as  well  as  other  national  and  international  relief  organization  personnel  who  may  or 
may  not  be  members  of  the  UN  Assistance  Mission  of  Afghanistan  (UNAMA). 


5.  Administration  and  Logistics  Carry  basic  combat  load,  extra  water  and  three  days  of 
rations.  Battalion  will  be  setting  up  a  temporary  combat  outpost  in  the  vicinity  within  24 
hours. 

Discussion 

Currently  there  is  no  underlying  science  for  automatically  moving  valued  information  from  one 
network  node  to  another  in  accordance  with  a  commander’s  intent  for  conduct  of  an  operation. 
Furthermore,  there  is  no  underlying  science  for  automatically  moving  information  across  a 
security  boundary  in  accordance  with  a  commander’s  declaration  of  intent  to  share  the 
information.  Thus  networks  of  forces  in  Afghanistan  and  elsewhere  are  inundated  with 
information  which  may  not  be  valuable  to  the  current  operation  and  commanders  are  constrained 
to  manually  share  information  face-to-face  with  coalition  partners  who  are  unable  or  unwilling  to 
obtain  security  clearances  to  work  on  available  networks. 


The  Flowing  Valued  Information  project  will  result  in  flowing  valued  information  among 
network  nodes  to  increase  the  value  of  shared  information.  Consider  what  might  be  possible 
with  information  sharing  technologies  which  will  automatically  flow  valued  information  and  will 
also  execute  movement  of  information  across  network  nodes  in  accordance  with  a  commander’s 
declaration  of  intent  to  share  information  with  an  individual  or  with  a  group.  The  following 
assertions  are  made  concerning  possible  results  for  HADR  operations  such  as  the  one 
summarized  in  the  above  Operations  Order  (OPORD). 

The  flowing  Valued  Information  project  seeks  to  enable  dynamic  alteration  of  the  movement  of 
information  across  network  nodes  in  response  to  both  (1)  the  relative  utility  of  the  information  to 


A-2 


meeting  commander’s  intent  and  also  (2)  the  expressed  intent  (perhaps  recently  expressed)  of 
sharing  information  with  a  particular  group  and/or  individual.  In  order  to  achieve  these  goals,  a 
mechanism  must  be  created  to  dynamically  change  the  information  being  flowed  across  network 
nodes  and  to  do  so  at  multiple  time  scales  and  multiple  distance  scales. 

Command  Intent: 

The  Military  Decision  Making  Process  (MDMP)  is  a  structured  approach  for  generating 
alternative  courses  of  action,  selecting  a  course  of  action,  generating  written  operation  orders  for 
the  selected  course  of  action,  and  executing  the  selected  course  of  action.  Command  Intent  for 
the  selected  course  of  action  is  not  explicitly  captured  in  the  written  documents  associated  with 
an  OPORD  but  is  expected  to  be  understood  and  achieved  in  executing  the  selected  course  of 
action.  Command  intent  is  summarized  in  the  mission  and  execution  sections  of  the  OPORD  but 
may  also  include  elements  not  included  in  these  sections.  Subordinate  commanders  are  expected 
to  understand  command  intent  from  development  of  the  selected  course  of  action  during  the 
planning  process  and  to  exercise  military  judgment  in  dynamically  altering  the  details  of  the  plan 
during  execution  in  order  to  meet  command  intent. 

The  OPORD  sketched  out  above  would  normally  not  be  written  since  the  echelons  below 
battalion  level  normally  do  not  follow  the  MDMP  and  normally  do  not  issue  written  OPORDs. 
Instead  Troop  Leading  Procedures  are  followed  in  which  the  same  basic  decision  flow  of 
considering  alternative  courses  is  considered,  a  course  of  action  is  selected,  and  a  verbal  OPORD 
is  created  and  delivered  to  subordinate  commanders.  However  at  both  the  higher  echelons  of 
tactical-level  operations  (Brigade  and  Battalion)  and  the  lower  echelons  of  tactical  operations 
(Company,  Platoon  and  Squad)  command  intent  is  developed  and  conveyed  to  other  leaders 
during  the  decision-making  process  and  subordinate  commanders  are  expected  to  dynamically 
change  the  plan  during  the  execution  process  to  meet  the  intent  of  the  commander. 

Thus,  in  the  mathematical  sense,  command  intent  is  the  system  invariant  around  which  other 
parameters  vary  during  the  execution  process  and  information  flow  should  be  optimized  to  make 
information  available  at  different  communication  and  computing  nodes  in  the  unit  network 
according  to  the  role  to  be  played  by  the  unit  associated  with  that  node  in  meeting  the  intent  of 
the  commander. 

Discrete  and  Continuous  Variables 

Moreover,  the  kinds  of  parameters  which  may  dynamically  vary  during  the  conduct  of  the 
operation  consist  of  both  discrete  and  continuous  variables.  For  instance,  soldiers  are  trained  to 
make  and  continuously  update  a  visualization  of  the  battlespace  (i.e.  the  state  of  the  operational 
environment)  which  considers  Mission,  Enemy,  Terrain  and  weather.  Troops  and  support 
available.  Time  available,  and  Civil  considerations  (METT-TC  ).  Variables  which  define  the 
weather  and  vary  continuously  include  air  density,  wind  velocity,  temperature,  humidity,  rainfall, 
and  illumination.  Terrain  and  time  available  vary  continuously.  The  physical  parameters  which 
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affect  the  accuracy  of  every  engagement  process  vary  continuously  (weapon  and  target  position 
(latitude,  longitude,  and  altitude),  three  dimensions  of  velocity,  three  dimensions  of  acceleration, 
projectile  flight  characteristics,  atmospheric  dynamics,  projectile  charge  explosive 
characteristics,. . .).  Commanders  at  higher  levels  may  identify  and  specifically  task  intelligence 
personnel  to  identify  values  for  the  commander’s  critical  information  requirements  (CCIR). 
CCIR  are  usually  discrete-valued  variables  such  as  enemy  strength,  enemy  location,  and  enemy 
intent.  However,  The  Army’s  Field  Manual  for  Operations  also  indicates  that  “METT-TC 
emphasizes  the  operational  environment’s  human  aspects.  This  emphasis  is  most  obvious  in  civil 
considerations,  but  it  affects  the  other  METT-TC  variables  as  well.  Incorporating  human  factors 
into  mission  analysis  requires  critical  thinking,  collaboration,  continuous  learning,  and 
adaptation.  It  also  requires  analyzing  local  and  regional  perceptions.  Many  factors  influence 
perceptions  of  the  enemy,  adversaries,  supporters,  and  neutrals.  These  include — 

•  Language. 

•  Culture. 

•  Geography. 

•  History. 

•  Education. 

•  Beliefs. 

•  Perceived  objectives  and  motivation. 

•  Communications  media. 

•  Personal  experience.  “ 

Need-to-Know  and  Need-to-Share 

While  some  of  the  data  on  the  tactical  intranet  (such  as  a  written  estimate  of  METT-TC  for  an 
upcoming  operations)  might  be  considered  for  sharing  by  a  commander,  the  scenario  in  question 
provides  an  example  of  the  case  facing  many  commanders  in  which  mission  success  requires 
asking  questions  of  local  leaders  and  non-government  organizations  (NGOs)  and  receiving 
answers.  Consider  the  fact  that  mission  success  for  the  Platoon  Leader,  Platoon  Sergeant,  and 
four  Squad  Leaders  of  the  platoon  responding  to  the  earthquake  requires  that  they  understand  the 
tactical  situation  (e.g.  the  METT-TC  estimate  which  is  in  the  “need-to-know”  information 
category)  and  prepare  as  best  they  can  to  help  the  village  deal  with  the  disaster.  Questions  which 
need  to  be  answered  immediately  (and  are  in  a  “need-to-share”  category)  include: 

•  How  many  people  are  dead? 

•  How  many  people  are  missing? 

•  Is  shelter  available  for  those  whose  homes  are  destroyed? 

•  How  much  bedding  and  clothing  are  needed? 
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•  Is  the  road  network  functional? 


•  Are  the  waterworks  functional? 

•  Is  electricity  available? 

•  How  many  people  need  to  be  fed? 

In  addition,  consider  that  the  Platoon  Leader,  Platoon  Sergeant  and  Squad  Leaders  might  have 
the  following  information  sharing  needs  for  the  different  phases  mentioned  in  the  OPORD: 

Phase  1  (movement  into  the  operational  area)  -  need  to  share  location  and  activity 
data  with 

•  Doctors  Without  Borders 

•  Local  leaders 

•  UNAMA 

•  PRT  (may  not  have  TiGR) 

•  Brigade  HTT  (automatic) 

Commander ’s  critical  information  requirements  include: 

•  Any  new  earthquake  activity 

•  Any  government  and/or  non-government  agency  providing  HADR  support  in  the  platoon 
AO 

•  Any  hostile  activity  in  the  area 

•  Any  changes  in  the  estimates  for  assistance  in  water,  food,  shelter,  or  medical  support 
Phase  2  (search  for  survivors)  -  need  to  share  data  with 

•  Doctors  Without  Borders 

•  Local  leaders 

•  UNAMA 

•  PRT  (may  not  have  TiGR) 

•  Brigade  HTT  (automatic) 

•  Red  Cross 

•  Red  Crescent 

•  Another  coalition  partner 

Phase  3  (recovery  operations)  -  need  to  share  data  with 
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•  Doctors  Without  Borders 

•  UNAMA 

•  Local  leaders 

•  PRT  (may  not  have  TiGR) 

•  Brigade  HTT  (automatic) 

•  Red  Cross 

•  Red  Crescent 

•  Another  coalition  partner 

•  Government  reconstruction  agencies 

•  Local  and  international  construction  companies 

Available  Technologies: 

US  Forces  (interacting  with  the  existing  military  network  (MILNET)  -  DISA  has  made  great 
strides  in  implementing  the  service  oriented  architecture  approach  to  enabling  automation 
support  for  enterprise  processes.  Specific  results  which  affect  the  future  utility  of  project  results 
include  the  Joint  Cross  Domain  eXchange  (JCDX)  system  to  share  data  across  the  multilevel 
level  secure  system  (MLS)  and  the  classification  Policy  Decision  Service  (cPDS)  system  to 
enable  discovery  of  labeled  data  for  and  subsequent  automated  identification  of  trust  relations. 
These  MILNET  services  enable  automated  building  of  the  XML  signature  chains  necessary  for 
using  the  NetSMART  project  results  to  automatically  implement  policy  decisions  by 
commanders  to  share  information  across  the  Global  Information  Grid  (GIG). 

New  tools  available  for  the  Development  Process 

Hardware  development  tool  research  has  been  working  for  some  to  move  the  automated  tools 
available  for  electronic  systems  development  from  the  resisistor-transistor-logic  (RTL)  level  to 
the  electronic  systems  level  (ESL).  As  indicated  in  an  article  on  system-level  design  by  Rami 
Rachamim,: 

. .  .the  development  process  can  be  divided  into  three  phases:  Concept,  ESL  design,  and 
RTL  implementation.  Each  phase  is  derived  from  the  previous  one  and  feeds  the  next 
one. 

Concept  (Vision):  At  the  concept  phase  a  system  designer  creates  a  conceptual 
description  of  the  system  without  explicit  software/hardware  definitions  or  boundaries 
concept.  The  phase  starts  with  a  spec  and  a  set  of  requirements  that  are  mapped  into 
algorithms  and  functions  that  can  be  validated.  There  are  several  languages  that  can 
serve  this  domain  including  UML  and  C/C++. 

ESL  Design  (Strategy):  At  the  ESL  design  phase  the  designer  needs  to  drive  its  strategies 
and  map  the  conceptual  description  into  hardware  (RTL)  and  software  (C/C++) 
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representations.  This  is  where  the  ability  to  impact  (variability)  is  the  greatest,  and 
iteration  cycles  are  shorter.  The  design  phase  should  define  the  hardware  and  software 
domains  (partitioning)  that  can  carry  the  concept  and  drive  parallel  hardware  and 
software  implementation  flows.  It  should  allow  exploration  and  optimization  when 
allocating  and  configuring  hardware  and  software  resources  while  making  sure  they 
interface  appropriately. 

The  ESL  design  phase  is  where  the  designer  creates  and  finds  the  best  possible  hardware 
and  software  system  configuration  that  is  functionally  correct  and  can  support  the  original 
system  concept.  The  output  of  the  design  process  should  be  a  well-defined  hardware 
structure  at  the  RTL  level  (most  likely  VHDL  or  Verilog  description)  and  some  of  the 
software  layers.  It  is  important  to  optimize  systems  against  real  software  since  the 
application  greatly  impacts  the  performance  and  power  behavior  of  the  system,  and  is 
reflected  at  the  user  experience  level. 

RTL  Implementation  (Tactics):  At  the  implementation  phase  the  designer  actually 
executes  upon  the  ESL  guidelines  and  maps  the  hardware  (RTL)  into  silicon.  Automating 
the  ESL  design  phase  would  not  only  make  the  RTL  implementation  task  more  efficient, 
it  would  also  result  in  shorter  verification  cycles,  since  the  integration  of  the  main 
hardware  and  software  blocks  is  already  validated.  RTL  Verification  would  then  focus 
solely  on  implementation  related  aspects,  rather  then  system-level  aspects  (e.g. 
hardware/software  interaction,  protocol  mismatches  and  data  integrity)  that  are  much 
harder  to  detect  at  RTL. 

Software  system-level  design:  The  Flowing  Valued  Information  project  aims  to  flow 
information  between  the  military  network  (MILNET)  and  other  networks  in  accordance  with 
Department  of  Defense  (DoD)  policy  for  sharing  information.  The  DoD  intent  is  to  use  SOA  as 
the  architecture-level  approach  for  enabling  sharing  information  among  the  US  Armed  Services 
as  well  as  with  our  coalition  partners.  However,  there  is  currently  no  underlying  science 
available  for  flowing  valued  information  among  network  nodes  or  for  sharing  information 
dynamically  with  coalition  partners  and  non-government  agencies.  Thus,  we  specifically  will 
investigate  system-level  design  approaches  for  flowing  valued  information  and  sharing  the 
information  across  security  boundaries. 

Software  design  and  implementation:  Also  at  the  software  level,  new  tools  are  available  for 
implementing  service-oriented  architecture  systems.  Specifically,  a  promising  set  of  open-source 
tools  are  being  built  under  the  Eclipse  Swordfish  project.  As  indicated  on  the  project  web 
site,”The  goal  of  the  Swordfish  project  is  to  provide  an  extensible  SOA  framework  based  on  the  proven 
Eclipse  Equinox  mntime  technology.  The  framework  is  designed  to  be  complemented  by  additional  open 
source  components  such  as  a  service  registry,  a  messaging  system,  a  process  engine  etc.  to  form  a 
comprehensive  open  source  SOA  mntime  environment  based  on  both  established  and  emerging  open 
standards.”  The  SOA  project  provides  an  open-source  solution  for  using  the  Common  Object  Request 
Broker  Architecture  (CORBA)  as  the  messaging  component  of  an  SOA  and  an  extension  of  the 
NetSMART  inference  engine  as  the  process  engine  to  implement  sharing  policies. 


A-7 


Challenges:  While  new  hardware  and  software  teehnologies  are  available  to  perform  system-level  design 
and  implementation  ,  there  are  many  unknowns  and  ehallenges  in  aehieving  the  two  primary  goals  of  the 
projeet.  Speeifieally: 


1.  Flowing  valued  information  among  network  nodes  in  aeeordanee  with  the  commander’s  intent: 

a.  How  do  we  model  Complex  Event  Systems  (CES)  with  enough  preeision  to  prediet 
future  states  of  the  system?  A  mathematieal  result  over  a  eentury  old  establishes  the 
existenee  of  solutions  to  systems  of  equations  whieh  deseribe  the  eomplex  event  systems 
of  interest  (i.e.  systems  deseribed  by  eompositions  of  diserete-event  eomponents  and 
eontinuous-time  eomponents).  However,  to  date  no  method  of  diseovering  the  solutions 
to  sueh  eomposed  system  models  has  been  found.  Thus,  we  will  follow  an  approaeh  of 
eonstrueting  eomponents  with  known  dynamies,  eomposing  those  eomponents,  and 
experimenting  with  predieting  future  states  of  the  eomposed  systems. 

b.  Whieh  metries  are  suffieient  for  eapturing  eommander’s  intent  and  how  do  we  measure 
system  parameters  to  estimate  values  of  those  metries? 

c.  How  do  we  aeeommodate  the  need  of  the  eommander  to  dynamieally  change  intent  of 
an  operation  while  the  operation  is  underway? 

2.  Moving  information  among  network  nodes  in  aeeordanee  with  an  expressed  intent  to  share: 

a.  How  do  we  discover  trust  relations  between  entities  distributed  in  time  and  space 
which  normally  are  not  connected  as  nodes  in  a  communication  network? 

b.  How  do  we  dynamically  chain  together  trust  relations  to  establish  a  ‘‘chain  of 
trust”  among  components  which  are  normally  not  connected? 

c.  How  do  we  prove  that  the  trust  policies  of  DoD  for  sharing  information  are 
satisfied  by  the  system  we  implement  for  sharing  information  across  security 
boundaries?  For  example,  in  the  scenario  above,  how  do  we  prove  that  we 
comply  with  DoD  policy  in  our  implementation  of  a  solution  for  enabling  the 
network  to  respond  to  a  commander’s  declaration  of  an  intent  to  share  information 
X  with  user  Y  and  group  Z  for  period  of  time  T? 
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